04-04-2018 01:04 AM - edited 03-12-2019 05:10 AM
Dear community
I have the same problem as written in these two posts:
https://supportforums.cisco.com/t5/unified-communications/wrong-end-date-in-ios-15-3-and-15-5/td-p/2854362
Problem with writing in posts that are old is, noone ever is reading these things again. So thats why i create a new topic with this one.
If we import the certificate of our root CA in base64, it has a wrong end date. I use the exact same commands to import the CA certificate on two different IOS routers.
Cisco ISR 4451 with IOS XE 16.5.1b
roRZ201#show crypto pki certificates MERBAGCA CA Certificate Status: Available Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7 Certificate Usage: Signature Issuer: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Subject: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Validity Date: start date: 09:49:23 CET Mar 8 2018 end date: 09:59:21 CET Mar 8 2038 Associated Trustpoints: MERBAGCA Storage: nvram:MERBAGRootCe#C1F7CA.cer
Cisco 897VA with IOS 15.6(2)T1
roTST01#show crypto pki certificates MERBAGCA CA Certificate Status: Available Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7 Certificate Usage: Signature Issuer: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Subject: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Validity Date: start date: 09:49:23 CET Mar 8 2018 end date: 03:31:05 CET Jan 31 1902 Associated Trustpoints: MERBAGCA
Both routers sync their time with the same NTP server and are in synchronized state. No that this would have anything to do with this, but just in case someone wants to bring that question up.
I suspect that this has something to do with the UNIX timestamp. The latest possible date & time for the 32bit based stamp is the 19th of January 2038 at 03:14:08 (UTC). So one of the cases mentioned above, has the end date for their CA certificate after that date as well. For the other case, i cannot say because the post never mentions the correct end date. IOS XE could, being completely rewritten, use another algorithm (maybe in 64bit) to count beyond that date.
Any help is much appreciated.
Solved! Go to Solution.
04-04-2018 05:16 AM - edited 04-04-2018 05:16 AM
After upgrading to one of the fixed IOS versions (15.7(3)M1), the end date is displayed correctly without re-importing the certificate:
roTST01#show crypto pki certificates MERBAGCA CA Certificate Status: Available Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7 Certificate Usage: Signature Issuer: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Subject: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Validity Date: start date: 09:49:23 CET Mar 8 2018 end date: 09:59:21 CET Mar 8 2038 Associated Trustpoints: MERBAGCA Storage: nvram:MERBAGRootCe#C1F7CA.cer
04-04-2018 01:46 AM
This bug describes the issue:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsl95969/?rfs=iqvred
I am gonna install one of the fixed releases and report back.
04-04-2018 05:16 AM - edited 04-04-2018 05:16 AM
After upgrading to one of the fixed IOS versions (15.7(3)M1), the end date is displayed correctly without re-importing the certificate:
roTST01#show crypto pki certificates MERBAGCA CA Certificate Status: Available Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7 Certificate Usage: Signature Issuer: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Subject: cn=MERBAG Root Certificate Authority ou=IT o=MERBAG c=CH Validity Date: start date: 09:49:23 CET Mar 8 2018 end date: 09:59:21 CET Mar 8 2038 Associated Trustpoints: MERBAGCA Storage: nvram:MERBAGRootCe#C1F7CA.cer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: